Reputation: 81
Azure Active Directory and Custom attributes in JWT (Security
I am integrating an web app that uses a custom claim called "entitlements" in an access token which has 1 or more values that specify the privileges of the user within the app, i.e. user, reports, admin... Users are assigned one or more of these values. When I built it, I looked to see if Azure Active Directory would support adding this custom claim into the JWT and all the evidence indicated it was possible. Now that it is built I am trying to actually implement the integration with AAD. But it is not working. None of the instructions that I have come across actually work. The claim isn't present within the Access Token when generated and I cannot find a way to tell Azure to add it.
I have added a custom security attribute called "entitlements", added it to a user account with a value, gave the application as many API permissions that I can find and yet, when it comes time to add the custom attribute as a claim under Manage Claim, it is not visible. Only the user profile values are visible. Nothing that I do, changes the list of values. They only contain the "user.*" properties.
My steps to get to this point:
- Create a free Azure AD account and elevate it to P2 license level.
- Elevate my user account to create custom security attribute definitions.
- Create custom security attribute definition.
- Create a custom security attribute with 8 different possible values that can be selected.
- Under user, add a custom security attribute with at least one value selected.
- Back under the application registration, api permissions, add all permissions that allow access to all possible values that might be relevant.
- Under Manifest, changed accessTokenAcceptedVersion to 2
- Added the optionalClaims within the Manifest, added the custom security attribute named "entitlements" with source as "user"
- Tried to add Optional Claim "entitlements" but not present. Addition of entry typed into Manifest indicates it will not be added to JWT since it is not a valid claim.
- I went to enterprise application, single sign on, Manage Claims, clicked on Add a claim, and looked for entitlements but only user.* properties are there from the profile area of a user.
- Typing the source attribute for entitlement just makes a string appear with the text "entitlements"
So has anyone successfully added an application with custom attributes attached to a user profile that are select-able and configured to have those attributes show up as a JWT claim? What did you do differently?
Upvotes: 5
Views: 1136
Answers (1)
Reputation: 81
I was unable to add entitlements using the custom security attributes, however, by defining a set of roles within Azure AD and then assigning one of those Roles to the user of the registered app in Azure, I was able to pass the roles claim in the JWT which is standard claim supported in the OAuth2 specification that my app supports. I could not find a way to insert any additional claims that are standard in OAuth2 but not listed as an optional or explicitly listed claim. The documentation states it can be done but I was not able to obtain a working result. Even adding custom static claim did not work for me.
Upvotes: 1
Related Questions
- Add Azure Active Directory User to Azure SQL Database
- What are the main differences between JWT and OAuth authentication?
- Azure AD Claims mapping requires custom signing key
- Azure AD Custom Claims in JWT
- Azure Active Directory B2C Custom Invite Policy - Passing Custom Claims Between Steps
- Azure Active Directory JWT for API authentication within Angular 4
- Azure AD - adding custom attributes
- Azure Active Directory - how to map User/Group/App Registrations for JWT generation
- Custom attributes not shown in user profile in Azure AD B2C
- Add Security Group Claims to SAML token for Custom Azure Active Directory Application